private void DataGrid_RIP_CopySignature(object sender, RoutedEventArgs e)
{
RIPEntry entry = this.DataGrid_RIP.SelectedItem as RIPEntry;
if (entry != null)
{
try
{
Clipboard.SetDataObject(entry.Signature);
}
catch
{ }
}
}
private void DataGrid_RIP_CopyTargetAddressString(object sender, RoutedEventArgs e)
{
RIPEntry entry = this.DataGrid_RIP.SelectedItem as RIPEntry;
if (entry != null)
{
try
{
Clipboard.SetDataObject(entry.TargetAddressString);
}
catch
{ }
}
}
private async void Button_ExportResults_Click(object sender, RoutedEventArgs e)
{
if (this.DataGrid_RIP == null)
{
return;
}
if (this.DataGrid_RIP.Items == null)
{
return;
}
var dialog = new SaveFileDialog();
dialog.Filter = "txt file (*.txt)|*.txt|all files (*.*)|*.*";
if (dialog.ShowDialog() == true)
{
SetUIEnabled(false);
var task = Task.Run(() =>
{
var file = dialog.FileName;
System.IO.StreamWriter sr = new System.IO.StreamWriter(file, false, System.Text.Encoding.ASCII);
foreach (var item in this.DataGrid_RIP.Items)
{
RIPEntry entry = item as RIPEntry;
string csv = "";
csv += String.Format("{0, -30}", entry.AddressRelativeString) + " ";
csv += String.Format("{0, -16}", entry.AddressString) + " ";
csv += String.Format("{0, -30}", entry.TargetAddressRelativeString) + " ";
csv += String.Format("{0, -16}", entry.TargetAddressString) + " ";
csv += String.Format("{0, -64}", entry.Signature) + Environment.NewLine;
sr.Write(csv);
}
sr.Close();
});
await task;
MessageBox.Show("Complete.");
SetUIEnabled(true);
}
}
private async void Button_ExportResults_Click(object sender, RoutedEventArgs e)
{
if (this.DataGrid_RIP == null)
{
return;
}
if (this.DataGrid_RIP.Items == null)
{
return;
}
var window = (Window)this.VisualRoot;
var dialog = new SaveFileDialog
{
Filters = new List <FileDialogFilter> {
new FileDialogFilter {
Name = "binary file (*.bin)", Extensions = new List <string> {
"bin"
}
},
new FileDialogFilter {
Name = "all files (*.*)", Extensions = new List <string> {
"*"
}
},
}
};
var file = await dialog.ShowAsync(window);
if (string.IsNullOrEmpty(file))
{
return;
}
SetUIEnabled(false);
var task = Task.Run(() =>
{
System.IO.StreamWriter sr = new System.IO.StreamWriter(file, false, System.Text.Encoding.ASCII);
foreach (var item in this.DataGrid_RIP.Items)
{
RIPEntry entry = item as RIPEntry;
string csv = "";
csv += String.Format("{0, -30}", entry.AddressRelativeString) + " ";
csv += String.Format("{0, -16}", entry.AddressString) + " ";
csv += String.Format("{0, -30}", entry.TargetAddressRelativeString) + " ";
csv += String.Format("{0, -16}", entry.TargetAddressString) + " ";
csv += String.Format("{0, -64}", entry.Signature) + Environment.NewLine;
sr.Write(csv);
}
sr.Close();
});
await task;
MessageBox.Show("Complete.");
SetUIEnabled(true);
}
private async void Button_StartScan_Click(object sender, RoutedEventArgs e)
{
DataGrid_RIP.DataContext = null;
entries = new List <RIPEntry>();
TextBox_Log.Clear();
GC.Collect();
if (string.IsNullOrWhiteSpace(TextBox_FilterString.Text))
{
var result = await MessageBox.Show("Requires huge memories to run without filter.\n If results are more than 1M, snip them.\n Procced?", "Caution", MessageBoxButton.OKCancel);
if (result != MessageBoxResult.OK)
{
return;
}
}
if (this.RadioButton_Group1_Process.IsChecked == true)
{
if (TargetProcess == null)
{
return;
}
//List<RIPEntry> entries = new List<RIPEntry>();
Stopwatch stopwatch = new Stopwatch();
SetUIEnabled(false);
List <string> filters = ParseFilter();
foreach (var f in filters)
{
TextBox_Log.AppendText($"filter: {f}" + Environment.NewLine);
}
bool searchFromAllModules = CheckBox_AllModules.IsChecked ?? false;
bool onlyLEA = CheckBox_OnlyLEA.IsChecked ?? false;
List <ProcessModule> ProcessModules = new List <ProcessModule>();
if (searchFromAllModules)
{
foreach (ProcessModule m in TargetProcess.Modules)
{
ProcessModules.Add(m);
}
}
else
{
if (ComboBox_SpecificModule.SelectedItem != null)
{
ProcessModules.Add((ProcessModule)ComboBox_SpecificModule.SelectedItem);
}
else
{
ProcessModules.Add(TargetProcess.MainModule);
}
}
var task = Task.Run(() =>
{
foreach (var m in ProcessModules)
{
int moduleMemorySize = m.ModuleMemorySize;
IntPtr startAddres = m.BaseAddress;
IntPtr endAddres = new IntPtr(m.BaseAddress.ToInt64() + moduleMemorySize);
this.Dispatcher.Invoke((Action)(() =>
{
TextBox_Log.AppendText($"----------------------------------------------------" + Environment.NewLine);
TextBox_Log.AppendText($"Module Name: {m.ModuleName}" + Environment.NewLine);
TextBox_Log.AppendText($"File Name: {m.FileName}" + Environment.NewLine);
TextBox_Log.AppendText($"Module Size: {moduleMemorySize.ToString("#,0")} Byte" + Environment.NewLine);
TextBox_Log.AppendText($"Start Address: {startAddres.ToInt64().ToString("X2")} ({startAddres.ToInt64()})" + Environment.NewLine);
TextBox_Log.AppendText($"End Address : {endAddres.ToInt64().ToString("X2")} ({endAddres.ToInt64()})" + Environment.NewLine);
TextBox_Log.AppendText($"Scan started. Please wait..." + " ");
}));
stopwatch.Start();
IntPtr currentAddress = startAddres;
int bufferSize = 1 * 1024 * 1024;
byte[] buffer = new byte[bufferSize];
while (currentAddress.ToInt64() < endAddres.ToInt64())
{
// size
IntPtr nSize = new IntPtr(bufferSize);
// if remaining memory size is less than splitSize, change nSize to remaining size
if (IntPtr.Add(currentAddress, bufferSize).ToInt64() > endAddres.ToInt64())
{
nSize = (IntPtr)(endAddres.ToInt64() - currentAddress.ToInt64());
}
IntPtr numberOfBytesRead = IntPtr.Zero;
if (Helper.ReadProcessMemory(TargetProcessHandle, currentAddress, buffer, nSize, ref numberOfBytesRead))
{
for (int i = 0; i < numberOfBytesRead.ToInt64() - 4; i++)
{
var entry = new RIPEntry();
entry.Address = new IntPtr(currentAddress.ToInt64() + i);
entry.AddressValueInt64 = BitConverter.ToInt32(buffer, i);
entry.TargetAddress = new IntPtr(entry.Address.ToInt64() + entry.AddressValueInt64 + 4);
if (entry.TargetAddress.ToInt64() < startAddres.ToInt64() || entry.TargetAddress.ToInt64() > endAddres.ToInt64())
{
continue;
}
var offsetString1 = (entry.Address.ToInt64() - startAddres.ToInt64()).ToString("X");
if (offsetString1.Length % 2 == 1)
{
offsetString1 = "0" + offsetString1;
}
entry.AddressRelativeString = '"' + m.ModuleName + '"' + "+" + offsetString1;
var offsetString2 = (entry.TargetAddress.ToInt64() - startAddres.ToInt64()).ToString("X");
if (offsetString2.Length % 2 == 1)
{
offsetString2 = "0" + offsetString2;
}
entry.TargetAddressRelativeString = '"' + m.ModuleName + '"' + "+" + offsetString2;
if (filters.Any() &&
!filters.Any(x => x == entry.TargetAddressString) &&
!filters.Any(x => x == entry.TargetAddressRelativeString))
{
continue;
}
// Signature
int bufferSize2 = 64;
byte[] buffer2 = new byte[bufferSize2];
IntPtr nSize2 = new IntPtr(bufferSize2);
IntPtr numberOfBytesRead2 = IntPtr.Zero;
if (Helper.ReadProcessMemory(TargetProcessHandle, new IntPtr(entry.Address.ToInt64() - bufferSize2), buffer2, nSize2, ref numberOfBytesRead2))
{
if (numberOfBytesRead2.ToInt64() == bufferSize2)
{
if (onlyLEA && (buffer2.Length < 2 || buffer2[buffer2.Length - 2] != 0x8D))
{
continue;
}
entry.Signature = BitConverter.ToString(buffer2).Replace("-", "");
}
}
if (entries.Count < MaxEntries)
{
entries.Add(entry);
}
}
}
if ((currentAddress.ToInt64() + numberOfBytesRead.ToInt64()) == endAddres.ToInt64())
{
currentAddress = new IntPtr(currentAddress.ToInt64() + numberOfBytesRead.ToInt64());
}
else
{
currentAddress = new IntPtr(currentAddress.ToInt64() + numberOfBytesRead.ToInt64() - 4);
}
}
stopwatch.Stop();
this.Dispatcher.Invoke((Action)(() =>
{
TextBox_Log.AppendText($"Complete." + Environment.NewLine);
TextBox_Log.AppendText($"Result Count: {entries.Count.ToString("#,0")}" + Environment.NewLine);
TextBox_Log.AppendText($"Scan Time: {stopwatch.ElapsedMilliseconds}ms" + Environment.NewLine);
}));
}
});
await task;
DataGrid_RIP.Items = entries;
SetUIEnabled(true);
}
else if (this.RadioButton_Group1_File.IsChecked == true)
{
if (string.IsNullOrWhiteSpace(BinFileName))
{
return;
}
Stopwatch stopwatch = new Stopwatch();
SetUIEnabled(false);
List <string> filters = ParseFilter();
foreach (var f in filters)
{
TextBox_Log.AppendText($"filter: {f}" + Environment.NewLine);
}
var task = Task.Run(() =>
{
System.IO.FileStream fs = new System.IO.FileStream(BinFileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
System.IO.FileStream fs2 = new System.IO.FileStream(BinFileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
long startPosition = 0;
long endPosition = fs.Length;
long currentPosition = 0;
int bufferSize = 8 * 1024 * 1024;
byte[] buffer = new byte[bufferSize];
this.Dispatcher.Invoke((Action)(() =>
{
TextBox_Log.AppendText($"----------------------------------------------------" + Environment.NewLine);
TextBox_Log.AppendText($"File Name: {BinFileName}" + Environment.NewLine);
TextBox_Log.AppendText($"Module Size: {endPosition.ToString("#,0")} Byte" + Environment.NewLine);
TextBox_Log.AppendText($"Scan started. Please wait..." + " ");
}));
stopwatch.Start();
while (currentPosition < endPosition)
{
int readSize = fs.Read(buffer, 0, bufferSize);
for (int i = 0; i < readSize - 4; i++)
{
var entry = new RIPEntry();
entry.Address = new IntPtr(currentPosition + i);
entry.AddressValueInt64 = BitConverter.ToInt32(buffer, i);
entry.TargetAddress = new IntPtr(entry.Address.ToInt64() + entry.AddressValueInt64 + 4);
if (entry.TargetAddress.ToInt64() < startPosition || entry.TargetAddress.ToInt64() > endPosition)
{
continue;
}
var offsetString1 = (entry.Address.ToInt64() - startPosition).ToString("X");
if (offsetString1.Length % 2 == 1)
{
offsetString1 = "0" + offsetString1;
}
entry.AddressRelativeString = '"' + System.IO.Path.GetFileName(BinFileName) + '"' + "+" + offsetString1;
var offsetString2 = (entry.TargetAddress.ToInt64() - startPosition).ToString("X");
if (offsetString2.Length % 2 == 1)
{
offsetString2 = "0" + offsetString2;
}
entry.TargetAddressRelativeString = '"' + System.IO.Path.GetFileName(BinFileName) + '"' + "+" + offsetString2;
if (filters.Any() &&
!filters.Any(x => x == entry.TargetAddressString) &&
!filters.Any(x => x == entry.TargetAddressRelativeString))
{
continue;
}
// Signature
int bufferSize2 = 64;
byte[] buffer2 = new byte[bufferSize2];
int offset2 = entry.Address.ToInt32() - bufferSize2;
if (offset2 >= 0 && offset2 + bufferSize2 <= endPosition)
{
fs2.Seek(offset2, System.IO.SeekOrigin.Begin);
var readBytes = fs2.Read(buffer2, 0, bufferSize2);
if (readBytes == bufferSize2)
{
entry.Signature = BitConverter.ToString(buffer2).Replace("-", "");
}
}
if (entries.Count < MaxEntries)
{
entries.Add(entry);
}
}
if (readSize < bufferSize)
{
currentPosition += readSize;
}
else
{
currentPosition += (readSize - 4);
fs.Seek(-4, System.IO.SeekOrigin.Current);
}
}
fs.Close();
fs2.Close();
stopwatch.Stop();
this.Dispatcher.Invoke((Action)(() =>
{
TextBox_Log.AppendText($"Complete." + Environment.NewLine);
TextBox_Log.AppendText($"Result Count: {entries.Count.ToString("#,0")}" + Environment.NewLine);
TextBox_Log.AppendText($"Scan Time: {stopwatch.ElapsedMilliseconds}ms" + Environment.NewLine);
}));
});
await task;
DataGrid_RIP.DataContext = entries;
SetUIEnabled(true);
}
GC.Collect();
}
